Vulnerabilities > CVE-2009-3466 - Resource Management Errors vulnerability in Adobe Shockwave Player

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
adobe
CWE-399
critical
nessus

Summary

Adobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption, related to an "invalid string length vulnerability." NOTE: some of these details are obtained from third party information.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SHOCKWAVE_PLAYER_APSB09_16.NASL
    descriptionThe remote Mac OS X host contains a version of Adobe Shockwave Player that is 11.5.1.601 or earlier. It is, therefore, affected by multiple vulnerabilities : - An invalid index vulnerability allows code execution. (CVE-2009-3463) - Invalid pointer vulnerabilities that allow code execution. (CVE-2009-3464, CVE-2009-3465) - An invalid string length vulnerability allows code execution. (CVE-2009-3466) - A boundary condition issue allows a denial of service. (CVE-2009-3244)
    last seen2020-06-01
    modified2020-06-02
    plugin id80170
    published2014-12-22
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80170
    titleAdobe Shockwave Player <= 11.5.1.601 Multiple Vulnerabilities (APSB09-16) (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(80170);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/25");
    
      script_cve_id(
        "CVE-2009-3244",
        "CVE-2009-3463",
        "CVE-2009-3464",
        "CVE-2009-3465",
        "CVE-2009-3466"
      );
      script_bugtraq_id(36905);
    
      script_name(english:"Adobe Shockwave Player <= 11.5.1.601 Multiple Vulnerabilities (APSB09-16) (Mac OS X)");
      script_summary(english:"Checks the version of Shockwave Player.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Mac OS X host contains a web browser plugin that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Mac OS X host contains a version of Adobe Shockwave Player
    that is 11.5.1.601 or earlier. It is, therefore, affected by multiple
    vulnerabilities :
    
      - An invalid index vulnerability allows code execution.
        (CVE-2009-3463)
    
      - Invalid pointer vulnerabilities that allow code
        execution. (CVE-2009-3464, CVE-2009-3465)
    
      - An invalid string length vulnerability allows code
        execution. (CVE-2009-3466)
    
      - A boundary condition issue allows a denial of service.
        (CVE-2009-3244)");
      script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb09-16.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Adobe Shockwave version 11.5.2.602 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3466");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(94, 119, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:shockwave_player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("shockwave_player_detect_macosx.nbin");
      script_require_keys("installed_sw/Shockwave Player", "Host/MacOSX/Version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    app = 'Shockwave Player';
    
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
    
    ver = install['version'];
    path = install['path'];
    
    if (ver_compare(ver:ver, fix:'11.5.1.601', strict:FALSE) <= 0)
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + ver +
          '\n  Fixed versions    : 11.5.2.602' +
          '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(port:0);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);
    
  • NASL familyWindows
    NASL idSHOCKWAVE_PLAYER_APSB09_16.NASL
    descriptionThe remote Windows host contains a version of Adobe
    last seen2020-06-01
    modified2020-06-02
    plugin id42369
    published2009-11-04
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42369
    titleShockwave Player <= 11.5.1.601 Multiple Vulnerabilities (APSB09-16)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42369);
      script_version("1.17");
      script_cvs_date("Date: 2018/07/27 18:38:15");
    
      script_cve_id("CVE-2009-3244", "CVE-2009-3463", "CVE-2009-3464", "CVE-2009-3465", "CVE-2009-3466");
      script_bugtraq_id(36905);
    
      script_name(english:"Shockwave Player <= 11.5.1.601 Multiple Vulnerabilities (APSB09-16)");
      script_summary(english:"Checks version of Shockwave Player");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a web browser plugin that is affected
    by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host contains a version of Adobe's Shockwave Player
    that is 11.5.1.601 or earlier. As such, it is affected by multiple
    issues :
    
      - An invalid index vulnerability could lead to code
        execution. (CVE-2009-3463)
    
      - Invalid pointer vulnerabilities could lead to code
        execution. (CVE-2009-3464, CVE-2009-3465)
    
      - An invalid string length vulnerability could potentially
        lead to code execution. (CVE-2009-3466)
    
      - A boundary condition issue could lead to a denial
        of service. (CVE-2009-3244)");
      script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb09-16.html");
      script_set_attribute(attribute:"solution", value:"Upgrade to Adobe Shockwave version 11.5.2.602 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(94, 119, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:shockwave_player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139,445);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("smb_func.inc");
    include("audit.inc");
    
    # Connect to the appropriate share.
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "The 'SMB/Registry/Enumerated' KB item is missing.");
    name    = kb_smb_name();
    port    = kb_smb_transport();
    
    login   = kb_smb_login();
    pass    = kb_smb_password();
    domain  = kb_smb_domain();
    
    
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
    if (rc != 1)
    {
      NetUseDel();
      exit(1, "Can't connect to IPC$ share.");
    }
    
    #Connect to remote registry
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if (isnull(hklm))
    {
      NetUseDel();
      exit(1, "Can't connect to the remote registry.");
    }
    
    #Check whether it's installed
    variants = make_array();
    
    # - check for the browser plugin
    key = "SOFTWARE\MozillaPlugins\@adobe.com/ShockwavePlayer";
    key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
    if (!isnull(key_h))
    {
      item = RegQueryValue(handle:key_h, item:"Path");
      if (!isnull(item))
      {
        file = item[1];
        variants[file] = "Plugin";
      }
      RegCloseKey(handle:key_h);
    }
    key = "SOFTWARE\Mozilla";
    key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
    if (!isnull(key_h))
    {
      info = RegQueryInfoKey(handle:key_h);
      for (i=0; i<info[1]; ++i)
      {
        subkey = RegEnumKey(handle:key_h, index:i);
        if (strlen(subkey) && subkey =~ "^Mozilla Firefox ")
        {
          key2 = key + "\" + subkey + "\Extensions";
          key2_h = RegOpenKey(handle:hklm, key:key2, mode:MAXIMUM_ALLOWED);
          if (!isnull(key2_h))
          {
            item = RegQueryValue(handle:key2_h, item:"Plugins");
            if (!isnull(item))
            {
              file = item[1] + "\np32dsw.dll";
              variants[file] = "Plugin";
            }
            RegCloseKey(handle:key2_h);
          }
        }
      }
      RegCloseKey(handle:key_h);
    }
    
    opera_path = get_kb_item("SMB/Opera/Path");
    if (!isnull(opera_path))
    {
      # nb: we'll check later whether this actually exists.
      file = opera_path + "Program\Plugins\np32dsw.dll";
      variants[file] = "Plugin";
    }
    
    #Check for the ActiveX control
    clsids = make_list(
      '{4DB2E429-B905-479A-9EFF-F7CBD9FD52DE}',
      '{233C1507-6A77-46A4-9443-F871F945D258}',
      '{166B1BCA-3F9C-11CF-8075-444553540000}'     #used in versions <= 10.x
    );
    foreach clsid (clsids)
    {
      key = "SOFTWARE\Classes\CLSID\" + clsid + "\InprocServer32";
      key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
      if (!isnull(key_h))
      {
        item = RegQueryValue(handle:key_h, item:NULL);
        if (!isnull(item))
        {
          file = item[1];
          variants[file] = "ActiveX";
        }
        RegCloseKey(handle:key_h);
      }
    }
    RegCloseKey(handle:hklm);
    if (max_index(keys(variants)) == 0)
    {
      NetUseDel();
      exit(0, "Shockwave Player is not installed.");
    }
    
    #Determine the version of each instance found.
    files = make_array();
    info = "";
    
    foreach file (keys(variants))
    {
      #Don't report again if the name differs only in its case.
      if (files[tolower(file)]++) continue;
    
      variant = variants[file];
    
      share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:file);
      file2 = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:file);
      NetUseDel(close:FALSE);
    
      rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
      if (rc != 1)
      {
        NetUseDel();
        exit(1, "Can't connect to "+share+" share.");
      }
    
      fh = CreateFile(
        file:file2,
        desired_access:GENERIC_READ,
        file_attributes:FILE_ATTRIBUTE_NORMAL,
        share_mode:FILE_SHARE_READ,
        create_disposition:OPEN_EXISTING
      );
      if (!isnull(fh))
      {
        ver = GetFileVersion(handle:fh);
        CloseFile(handle:fh);
    
        if (
          isnull(ver) ||
          (ver[0] == 0 && ver[1] == 0 && ver[2] == 0 && ver[3] == 0)
        )
        {
          NetUseDel();
          exit(1, "Failed to get the file version from '"+file+"'.");
        }
    
        if (
          ver[0] < 11 ||
          (
            ver[0] == 11 &&
            (
              ver[1] < 5 ||
              (
                ver[1] == 5 &&
                (
                  ver[2] < 1 ||
                  (ver[2] == 1 && ver[3] <= 601)
                )
              )
            )
          )
        )
        {
          version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
    
          if (variant == "Plugin")
          {
            info += '  - Browser Plugin (for Firefox / Netscape / Opera) :\n';
          }
          else if (variant == "ActiveX")
          {
            info += '  - ActiveX control (for Internet Explorer) :\n';
          }
          info += '    ' + file + ', ' + version + '\n';
        }
      }
      NetUseDel(close:FALSE);
    }
    NetUseDel();
    
    if (!info) exit(0, "No vulnerable installs of Shockwave Player were found.");
    
    if (report_verbosity > 0)
    {
      if (max_index(split(info)) > 2) s = "s";
      else s = "";
    
      report = string(
        "\n",
        "Nessus has identified the following vulnerable instance", s, " of Shockwave\n",
        "Player installed on the remote host :\n",
        "\n",
        info
      );
      security_hole(port:port, extra:report);
    }
    else security_hole(port:port);
    

Oval

accepted2014-11-10T04:02:31.831-05:00
classvulnerability
contributors
  • nameAntu Sanadi
    organizationSecPod Technologies
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
commentAdobe Shockwave Player is installed
ovaloval:org.mitre.oval:def:5990
descriptionAdobe Shockwave Player before 11.5.2.602 allows remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption, related to an "invalid string length vulnerability." NOTE: some of these details are obtained from third party information.
familywindows
idoval:org.mitre.oval:def:6395
statusaccepted
submitted2009-11-25T08:55:31.430-04:00
titleAdobe Shockwave Player before 11.5.2.602 allows Remote Code Execution invalid string length Vulnerability
version4

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:12583
last seen2017-11-19
modified2009-11-05
published2009-11-05
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-12583
titleAdobe Shockwave Player Multiple Code Execution Vulnerabilities